A guided tour to someone else's network

Step 3: The Attack

A few common attack methods work really well against modern networks and users. The first is attacking exposed servers and services (like DNS), the second is attacking web servers (which are basically application servers now), and the last is attacking through email (which is also the de facto file sharing application for many people).

The first method is pretty well understood; generally speaking, the attacker will scan for vulnerable servers with a tool such as Nmap [5][6] or Nessus [7] and then attack them using exploit code or toolkits like Metasploit [8]. Exploiting these vulnerabilities will generally allow the attacker to run hostile code, like a root shell, on the machine.

Finding All the Attacks

So how do you track down all these individual attacks? Given a specific software package (e.g., Sendmail, WordPress, DokuWiki, or MediaWiki), how do you track down the vulnerabilities affecting it? Your best bets are to check out the CVE [9] and OSVDB [10] databases, which have links to resources in each security report, and, for exploit code, Milw0rm [11] (Figure 3) and PacketStorm Security [12] (Figure 4). The Metasploit framework actually includes surprisingly few exploits – around 300 at last count. PacketStorm Security carries about 300--400 exploits a month. Chances are that if the site is running out-of-date software, you can find something on Milw0rm or PacketStorm Security that will let you attack it, and if not, the CVE and OSVDB databases often contain enough information to point you in the right direction.

Figure 3: Milw0rm.com – search results for SQL injection attacks.

Figure 4: PacketStorm Security – description of exploit code.

Attacking Web Servers

Web servers are basically application servers now, and where you have applications, you have security flaws. One of the biggest problems is the complexity of these programs. At a minimum, a "basic" application will often include: the application itself, a web server, an operating system, and a back-end database. All of these components can be attacked through flaws in the application, and in many cases, a number of small flaws can be combined to allow for code execution that lets an attacker onto the server.

If you're feeling lazy, you can also just download a web application scanner and point it at your target. Automated tools such as Nessus or like Nikto, which looks for more than 3,500 potentially dangerous files and CGI scripts, can scan a server for vulnerable applications. If these tools don't find anything with known vulnerabilities, the attacker can always use tools like WebScarab to examine and attack web applications directly. Poking around randomly often exposes interesting problems faster than you would think [13].